{"id":30481014,"url":"https://github.com/luisfer/ubon","last_synced_at":"2026-02-01T21:05:50.319Z","repository":{"id":311278016,"uuid":"1043207355","full_name":"luisfer/ubon","owner":"luisfer","description":"Peace of mind for vibe-coded apps","archived":false,"fork":false,"pushed_at":"2025-09-18T07:27:39.000Z","size":1164,"stargazers_count":36,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-18T07:29:47.875Z","etag":null,"topics":["nextjs","python","react","security","typescript","vibe-coding","vibe-coding-assistant"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/ubon","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/luisfer.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-23T11:11:55.000Z","updated_at":"2025-09-17T15:04:50.000Z","dependencies_parsed_at":"2025-08-23T20:07:08.238Z","dependency_job_id":"3027f81a-d4ff-4c6f-bd6a-2a99446cec57","html_url":"https://github.com/luisfer/ubon","commit_stats":null,"previous_names":["luisfer/ubon"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/luisfer/ubon","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfer%2Fubon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfer%2Fubon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfer%2Fubon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfer%2Fubon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/luisfer","download_url":"https://codeload.github.com/luisfer/ubon/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luisfer%2Fubon/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28990747,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T20:57:35.821Z","status":"ssl_error","status_checked_at":"2026-02-01T20:57:29.580Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nextjs","python","react","security","typescript","vibe-coding","vibe-coding-assistant"],"created_at":"2025-08-24T13:24:20.390Z","updated_at":"2026-02-01T21:05:50.314Z","avatar_url":"https://github.com/luisfer.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"# 🪷 Ubon\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"branding/Ubon.png\" alt=\"Ubon — Peace of mind for vibe‑coded apps\" width=\"100%\" /\u003e\n\u003c/p\u003e\n\n\u003e **TL;DR**\n\u003e\n\u003e Fed up with \"You're absolutely right!\" when debugging vibe‑coded apps with AI?\n\u003e\n\u003e ```bash\n\u003e npm i -g ubon@latest\n\u003e ubon scan --interactive  # Guided issue walkthrough\n\u003e ```\n\u003e\n\u003e 🪷 Peace of mind for vibe‑coded apps.\n\n[![npm version](https://badge.fury.io/js/ubon.svg)](https://badge.fury.io/js/ubon)\n[![npm downloads](https://img.shields.io/npm/dm/ubon.svg)](https://npmjs.com/package/ubon)\n[![Test Coverage](https://img.shields.io/badge/coverage-70%25-green.svg)](./coverage)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\n## Contents\n\n- [What is Ubon?](#what-is-ubon)\n- [How Ubon Compares](#how-ubon-compares)\n- [The Problem](#the-reality-of-debugging-ai-generated-code)\n- [About](#about-me-and-ubon)\n- [Quick Start](#quick-start)\n- [What's New in v2.0.0](#whats-new-in-v200)\n- [Commands](#commands)\n- [Configuration](#configuration)\n- [Documentation](#documentation)\n\n## What is Ubon?\n\n**Ubon is a security scanner designed for AI-generated code.** It catches the issues that traditional linters miss: hardcoded secrets, accessibility failures, broken links, and those subtle vulnerabilities that only surface in production.\n\nUbon is a fast static analysis tool for modern, AI‑generated \"vibe‑coded\" apps. It finds real, shippable issues—secrets, insecure cookies/redirects, accessibility problems, broken links, and config mistakes—and explains how to fix them with file:line context.\n\nUse the colorized triage in the terminal or JSON/SARIF for CI and AI. Profiles cover Next.js/React, Python, and Rails (experimental). See profiles in `docs/PROFILES.md` and the full capability matrix in `docs/FEATURES.md`.\n\n### At a glance\n\n- Security, accessibility, links, and config checks across Next.js/React, Python, Vue, and Rails (experimental)\n- Human-friendly triage: grouping, color, context, explanations, confidence scores\n- Baselines and inline suppressions for low-noise adoption\n- JSON and SARIF outputs for CI and AI; OSV caching for speed\n- Safe autofixes and optional PR creation; watch mode and changed-files gates\n\n## How Ubon Compares\n\n| Feature | Ubon 🪷 | ESLint | npm audit | Lovable Scanner |\n|---------|---------|--------|-----------|-----------------|\n| **Hardcoded Secrets** | ✅ High accuracy | ❌ No | ❌ No | ⚠️ Basic patterns |\n| **Supabase RLS Validation** | ✅ Deep analysis | ❌ No | ❌ No | ⚠️ Shallow check |\n| **Vite Security** | ✅ Specialized | ❌ No | ❌ No | ❌ No |\n| **Accessibility (a11y)** | ✅ Comprehensive | ⚠️ Plugin only | ❌ No | ❌ No |\n| **AI-Generated Code Issues** | ✅ Purpose-built | ❌ No | ❌ No | ⚠️ Limited |\n| **Link Validation** | ✅ External + Internal | ❌ No | ❌ No | ❌ No |\n| **Placeholder Detection** | ✅ DEV001-005 | ❌ No | ❌ No | ❌ No |\n| **Auto-Fix** | ✅ Safe fixes | ⚠️ Some rules | ❌ No | ❌ No |\n| **Interactive Mode** | ✅ Guided debugging | ❌ No | ❌ No | ❌ No |\n| **CI/CD Integration** | ✅ SARIF, JSON | ✅ Yes | ✅ Yes | ⚠️ Limited |\n| **SQL Injection (Supabase)** | ✅ Query analysis | ❌ No | ❌ No | ❌ No |\n\n**TL;DR**: Use ESLint for code style, npm audit for known CVEs, and Ubon for AI-generated code security.\n\n## The Reality of Debugging AI-Generated Code\n\n### Without Ubon\n\n\u003e **User**: \"The payment button doesn't work\"\n\u003e\n\u003e **AI**: \"You're absolutely right! Let me fix that for you...\"\n\u003e\n\u003e _regenerates the component_\n\u003e\n\u003e **User**: \"Still broken\"\n\u003e\n\u003e **AI**: \"I apologize! Let me try a different approach...\"\n\u003e\n\u003e _adds more event handlers_\n\u003e\n\u003e **User**: \"Nothing happens when I click\"\n\u003e\n\u003e **AI**: \"I see the issue now! Let me update the onClick handler...\"\n\u003e\n\u003e _rewrites the same broken logic_\n\u003e\n\u003e _[3 hours later...]_\n\u003e\n\u003e **User**: \"PLEASE JUST MAKE IT WORK\"\n\u003e\n\u003e **AI**: \"I understand your frustration! Let me completely refactor...\"\n\n### With Ubon\n\n```bash\n$ ubon check --group-by severity --min-severity medium\n\n🪷 Ubon — Triage\nHigh: 1 error   Medium: 1 warning\n\nHIGH\n  ❌ SEC003 Hardcoded OpenAI key (lib/ai.ts:12)\n     fix: Move key to OPENAI_API_KEY env var\n\nMEDIUM\n  ⚠️ A11Y001 Image without alt attribute (components/Hero.tsx:22)\n     fix: Add alt=\"\" or a short descriptive text\n```\n\n**Result**: Issues fixed in minutes, not hours.\n\n## About me and Ubon\n\nHi, I'm [Luisfer Romero Calero](https://lfrc.me), an experienced software engineer passionate about building products and being creative. I created Ubon in six days, obsessed with solving a problem I kept seeing everywhere: the current wave of AI-generated \"vibe-coded\" apps that, while incredibly quick to build, are frustrating to deploy and use because AI overlooks so many essential details.\n\nThe explosion of AI-generated apps through tools like Lovable, Replit, Cursor and Windsurf has democratized software creation. But it's also created a quiet reliability crisis. Non-technical users prompt AI with \"this doesn't work!!!\" without knowing what to check, they don't have the vocabulary to prompt precisely, and AI assistants miss the non‑obvious issues that slip past linters: hardcoded secrets, broken links, accessibility failures, and those subtle security vulnerabilities that only surface in production.\n\nI built Ubon after realizing that instead of fighting this AI-powered wave, we should embrace it and make it better. Think of Ubon as a safety net for the age of AI-generated code, a gentle guardian that catches what traditional tools miss. It works seamlessly with the standard Next.js/React repos that agentic AI tools create by default, as well as Python projects and Vue.js ones.\n\nMy hope is that Ubon becomes so essential it gets baked into Cursor, Windsurf, and other AI coding tools, automatically scanning every vibe-coded creation before it hits production. Because when anyone can ship software, everyone needs peace of mind.\n\n_Ubon_ means lotus in Thai, inspired by Ubon Ratchathani province where someone very special to me is from. The lotus represents the clarity and peace of mind this tool brings to debugging.\n\n## Quick Start\n\n### Installation\n\n```bash\nnpm install -g ubon\n```\n\n### Basic Usage\n\n```bash\nubon check                    # Quick static analysis\nubon scan --interactive       # Guided issue walkthrough\nubon check --ai-friendly      # JSON output for AI agents\nubon explain SEC001           # Learn about a specific rule\n```\n\n## What's New in v2.0.0\n\n**Vibe Code Detection** — 4 new rules for AI-generated code:\n- **VIBE001**: Hallucinated imports — packages not in package.json\n- **VIBE002**: Copy-paste artifacts — repeated code blocks\n- **VIBE003**: Incomplete implementations — placeholders, stubs, \"Not implemented\"\n- **VIBE004**: Orphaned exports — unused exports\n\n**New Features:**\n- **Security Posture Score**: 0-100 score with visual bar\n- **`--preview-fixes`**: See diff-like preview before applying fixes\n- **`confidenceReason`**: Each finding explains its confidence level\n- **`ubon explain \u003crule\u003e`**: Get detailed info about any rule\n- **Cursor Integration**: `docs/CURSOR.md` guide and `.cursor/rules/`\n- **All scanners exported**: Use any scanner programmatically\n\n```bash\n# Preview what would be fixed\nubon check --preview-fixes\n\n# See security posture score\nubon check\n# 🪷 Security Posture: 85/100 [████████████████░░░░]\n\n# Learn about a specific rule\nubon explain SEC001\nubon explain VIBE003\n```\n\nSee `docs/CURSOR.md` for Cursor integration guide and `CHANGELOG.md` for previous releases.\n\n## Commands\n\n```bash\nubon check                              # Quick static analysis\nubon scan                               # Full scan with link checking\nubon scan --interactive                 # Guided issue walkthrough\nubon check --git-changed-since main     # Scan only changed files (CI)\nubon check --apply-fixes                # Apply safe auto-fixes\nubon check --preview-fixes              # Preview fixes before applying\nubon explain \u003crule\u003e                     # Detailed info about a rule\n```\n\nOutput formats:\n```bash\nubon check --json                       # JSON for AI agents\nubon check --sarif results.sarif        # SARIF for GitHub code scanning\nubon check --format table               # Table for quick triage\n```\n\nSee `docs/CLI.md` for full reference.\n\n## Configuration\n\n```bash\nubon init                    # Generate project config\nubon check --update-baseline # Suppress existing issues, focus on new code\n```\n\nConfig file (`ubon.config.json`):\n```json\n{\n  \"profile\": \"next\",\n  \"minConfidence\": 0.8,\n  \"failOn\": \"error\",\n  \"disabledRules\": [\"SEC018\"]\n}\n```\n\nSee `docs/CONFIG.md` for full options.\n\n## Documentation\n\n- [Integration Guide](GUIDE.md) — Comprehensive reference\n- [Cursor Integration](docs/CURSOR.md) — AI-assisted development\n- [CLI Reference](docs/CLI.md) — All commands and flags\n- [Features Matrix](docs/FEATURES.md) — What Ubon checks\n- [Rules Glossary](docs/RULES.md) — All rules with descriptions\n- [Configuration](docs/CONFIG.md) — Setup and customization\n\n## Requirements\n\n- Node.js 16+\n- Git (for `--git-changed-since`)\n- Python 3.x (for Python scanning)\n\n## License\n\nMIT — see `LICENSE`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluisfer%2Fubon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluisfer%2Fubon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluisfer%2Fubon/lists"}